DEV Community

Surjith S M
Surjith S M

Posted on

How to Hide Email Address from Bots yet Show it to Humans

Disclaimer: We can't stop Human Spam Bots though

The Problem

We are afraid to show our email ID to our website users as we all know it definitely attracts bots.

The Broken Solution

To beat spam bots, we have used some solutions like this

email [at] example [dot] com

Even its a good idea to show it this way, There are two problems.

  1. Bot can easily programmed to parse email from this format.
  2. Its actually a UX pain point for users to send email.

The Real Solution

There is one way we can use to hide email address to bots but your users won't even notice it.

It is by using an Email Obsfuscator which converts your email using Character Entities. You can do this online with two clicks. Check out this online obfuscator

// Before
<a href=""></a>

// After
<a href='mailto&#58;ema%69&#108;&#64;%&#54;5&#120;&#37;&#54;1&#109;ple&#46;co&#109;'>email&#64;&#101;x&#97;mple&#46;co&#109;</a>

// User See

Yes. The code looks funny, but it works. It keeps out the bots as they are scanning the code. What I really like in the solution is it won't obfuscate all characters. Instead they leave some as normal. This makes even hard for bots to convert the entities to normal email. Pretty neat idea.

Are you using this method already? What do you think? Let me know your comments.

Top comments (4)

petezahad profile image
Mathias Stocker

The Broken Solution:
"Bot can easily programmed to parse email from this format"

The Real Solution:
Is there any reason why bots are not able to adapt to decode the mailto string - it is also just a format?

mvrc profile image

Doesn't work with bots that look for dynamically loaded content or already processed html..
You can try this method with this tool:
And the url to scrape:

I'd say the best way to hide them using a server side script or a recaptcha.

gkumarau profile image
Gourav Kumar

There is an even better trick. It's called Email cloaking.
Check the following repo:

petezahad profile image
Mathias Stocker

What about Bots rendering javascript (like your browser) look trough the (rendered) DOM and simulate the return value of the click event attached to "a" tags?

In my opinion there is no "Real" solution for this. It will prevent basic html fetch bots to receive email-adresses, but once a more sophisticated bot has an email address you will find it soon it a number of databases used for spamming.